1 / 23

Network Security Part I: Concepts

Network Security Part I: Concepts. Raj Jain Washington University Saint Louis, MO 63131 Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/. Overview. Security Statistics, Attacks, Requirements Secret Key and Public Key Encryption

zwi
Download Presentation

Network Security Part I: Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network SecurityPart I: Concepts Raj Jain Washington UniversitySaint Louis, MO 63131Jain@cse.wustl.edu These slides are available on-line at: http://www.cse.wustl.edu/~jain/cse473-05/

  2. Overview • Security Statistics, Attacks, Requirements • Secret Key and Public Key Encryption • Hash Functions • Message Authentication Code (MAC) • Digital Signature and Digital Certificates • RSA Public Key Encryption

  3. Security Threat Statistics • DoD networks were attacked 250000 times in 1995 (well before Internet popularity) • Of 38,000 friendly attacks, 65% succeeded • Only 4% of successful attacks were noticed by network administrators • Only a small fraction of those noticed were reported to authorities • FBI reports 163 organizations lost $123M in 1999 • Ref: M. Markow, “VPN for Dummies,” IDG Books, 1999.

  4. Security Attacks • Passive: • Release of message contents: Eavesdropping • Traffic analysis: monitoring frequency and length of messages, even encrypted nature of communication may be guessed • Difficult to detect • Active: • Masquerade: Pretend to be some one else • Replay: Capture and reuse for unauthorized effect • Modification of message • Denial of Service

  5. Security Requirements • Integrity: Received = sent? • Availability: Legal users should be able to use. Ping continuously  No useful work gets done. • Confidentialityand Privacy: No snooping or wiretapping • Authentication: You are who you say you are. A student at Dartmouth posing as a professor canceled the exam. • Authorization = Access Control Only authorized users get to the data

  6. Link vs End-to-End Encryption • Link All traffic secure. Vulnerable inside switches

  7. Secret Key Encryption • Also known as symmetric encryption • Encrypted_Message = Encrypt(Key, Message) • Message = Decrypt(Key, Encrypted_Message) • Example: Encrypt = division • 433 = 48 R 1 (using divisor of 9)

  8. Public Key Encryption • Invented in 1975 by Diffie and Hellman • Encrypted_Message = Encrypt(Key1, Message) • Message = Decrypt(Key2, Encrypted_Message) Key1 Text Ciphertext Key2 Ciphertext Text

  9. Public Key Encryption • RSA: Encrypted_Message = m3 mod 187 • Message = Encrypted_Message107 mod 187 • Key1 = <3,187>, Key2 = <107,187> • Message = 5 • Encrypted Message = 53 = 125 • Message = 125107 mod 187 = 5= 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)...(1252 mod 187)(125 mod 187)} mod 187

  10. Modular Arithmetic • xy mod m = (x mod m) (y mod m) mod m • x4 mod m = (x2 mod m)(x2 mod m) mod m • xij mod m = (xi mod m)j mod m • 125 mod 187 = 125 • 1252 mod 187 = 15625 mod 187 = 104 • 1254 mod 187 = (1252 mod 187)2 mod 187 = 1042 mod 187 = 10816 mod 187 = 157 • 1288 mod 187 = 1572 mod 187 = 152 • 12816 mod 187 = 1522 mod 187 = 103 • 12832 mod 187 = 1032 mod 187 = 137 • 12864 mod 187 = 1372 mod 187 = 69 • 12864+32+8+2+1 mod 187 = 69×137×152×104×125 mod 187 = 18679128000 mod 187 = 5

  11. Public Key (Cont) • One key is private and the other is public • Message = Decrypt(Public_Key, Encrypt(Private_Key, Message)) • Message = Decrypt(Private_Key, Encrypt(Public_Key, Message)) Msg Msg Alice’sPublic Key Alice’sPrivate Key Msg Msg Bob’sPublic Key Bob’sPrivate Key

  12. Hash Functions Example: CRC can be used as a hash (not recommended for security applications) Requirements: • Applicable to any size message • Fixed length output • Easy to compute • Difficult to Invert  Can’t find x given H(x)  One-way • Difficult to find y, such that H(x) = H(y)  Can’t change msg • Difficult to find any pair (x, y) such that H(x) = H(y) Strong hash 12345678901234567 Hash 12345678901234767 Hash

  13. Digital Signature • Message Digest = Hash(Message) • Signature = Encrypt(Private_Key, Hash) • Hash(Message) = Decrypt(Public_Key, Signature) Authentic • Also known as Message authentication code (MAC) Private Key Hash Digest Text Signature Public Key Hash Signature Digest Text

  14. Message Authentication Code (MAC) • Authentic Message = Contents unchanged + Source Verified • May also want to ensure that the time of the message is correct • Encrypt({Message, CRC, Time Stamp}, Source’s secret key) • Message + Encrypt(Hash, Source’s secret key) • Message + Encrypt(Hash, Source’s private key) Message MAC

  15. MAC: Using One Way Hash

  16. Digital Certificates • Like driver license or passport • Digitally signed by Certificate authority (CA) - a trusted organization • Public keys are distributed with certificates • CA uses its private key to sign the certificate Þ Hierarchy of trusted authorities • X.509 Certificate includes: Name, organization, effective date, expiration date, public key, issuer’s CA name, Issuer’s CA signature EncryptCA private key User IDPublic Key hash User IDPublic Key

  17. Key Distribution • Application requests connection • Security service asks KDCfor session Key • KDC distributes session keyto both hosts • Buffered packet transmitted KeyDistributionCenter KDC shares a secret key with each Host.

  18. Confidentiality • User 1 to User 2: • Encrypted_Message = Encrypt(Public_Key2, Encrypt(Private_Key1, Message)) • Message = Decrypt(Public_Key1, Decrypt(Private_Key2, Encrypted_Message)  Authentic and Private Your PublicKey My PrivateKey Message

  19. RSA Public Key Encryption • Ron Rivest, Adi Shamir, and Len Adleman at MIT 1978 • Both plain text M and cipher text C are integers between 0 and n-1. • Key 1 = {e, n}, Key 2 = {d, n} • C = Me mod nM = Cd mod n • How to construct keys: • Select two large primes: p, q, p ≠ q • n = p×q • Calculate  = (p-1)(q-1) • Select e, such that lcd(, e) = 1; 0 < e < s • Calculate d such that de mod  = 1

  20. RSA Algorithm: Example • Select two large primes: p, q, p ≠ qp = 17, q = 11 • n = p×q = 17×11 = 187 • Calculate  = (p-1)(q-1) = 16x10 = 160 • Select e, such that lcd(, e) = 1; 0 < e < say, e = 7 • Calculate d such that de mod  = 1 • 160k+1 = 161, 321, 481, 641 • Check which of these is divisible by 7 • 161 is divisible by 7 giving d = 161/7 = 23 • Key 1 = {7, 187}, Key 2 = {23, 187}

  21. Summary • Passive and active attacks • Secret Key and Public Key Encryption • Secure Hash Functions • Message Authentication Code (MAC) • Digital Signature and Digital Certificates • RSA Public Key Encryption based on exponentiation

  22. Reading Assignment • Read Sections 21.1 through 21.4 of 7th edition of Stallings. You can skip AES, SHA-1 during this part.

  23. Homework • Submit answer to Exercise 21.6 in Stallings’ 7th edition

More Related